Random subspaces for encryption based on a private shared Cartesian frame 
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A private shared Cartesian frame is a novel form of private shared correlation that allows for both 
private classical and quantum communication. Cryptography using a private shared Cartesian frame 
has the remarkable property that asymptotically, if perfect privacy is demanded, the private classical 
capacity is three times the private quantum capacity. We demonstrate that if the requirement for 
perfect privacy is relaxed, then it is possible to use the properties of random subspaces to nearly triple 
the private quantum capacity, almost closing the gap between the private classical and quantum 
capacities. 



I. INTRODUCTION 

Quantum information theory is concerned with imple- 
menting various communications tasks with a minimal 
use of resources In multi-party protocols, the most 
interesting resources are nonlocal ones, such as shared 
classical key or entanglement. Recently, it has become 
apparent that shared reference frames (SRFs) are an- 
other form of nonlocal resource that may be included in 
the accounting of any multi-party information-processing 
protocol. Heuristically, two parties are said to share a 
reference frame if there is a perfect correlation between 
the systems that define the bases of their respective lo- 
cal Hilbcrt spaces. For instance, if Alice and Bob each 
define their local Cartesian frame using classical gyro- 
scopes in their labs, then they possess a shared reference 
frame if the rotation relating the frames defined by their 
gyroscopes is known to them. 

Like entanglement, no amount of discussion between 
Alice and Bob will allow them to establish a shared ref- 
erence frame; doing so requires a physical interaction be- 
tween them that goes beyond the framework of classical 
information theory and, for that matter, the usual for- 
malism of quantum information theory. For example, to 
establish a shared Cartesian frame between their respec- 
tive labs, Alice and Bob may make use of a pre-existing 
frame such as the fixed stars or the Earth's magnetic field. 
However, if no such shared frame exists a priori, then no 
amount of discussion will enable them to establish one; to 
do so, they must exchanges physical systems that carry 
some directional information such as spin-1/2 particles. 
Understanding the value of a shared reference frame as 
a new nonlocal resource and its relation to both private 
and quantum communication is therefore an important 
necessary step in the ongoing effort to understand the 
nature of information in physics. 

Substantial progress has recently been made in this di- 
rection. Most research has focussed on determining the 
communication cost to establishing an SRF |^, H, |j, |M 
0, 0, 13 • There have also been several investigations into 
the impact of SRFs (or the lack thereof) on the efficiency 
with which one can perform a variety of bi-partite tasks. 



such as quantum and classical communication |^ Il0l |. 
key distribution lllllll and the manipulation of entan- 
glement 0, IT3L Il4 iTsj. Other work has studied the 
cryptographic consequences of the participants' lack of 
an SRF 0, 0, 0| . Here we shall be interested instead 
in using private SRFs as a resource. 

An SRF is private if the systems that define Alice and 
Bob's local Hilbert space bases are not correlated with 
any other systems. In this case, the SRF can act as a 
new kind of key for private quantum and classical com- 
munication over a public channel. Consider a private 
shared Cartesian frame, as in [l^ . Under the require- 
ment that the communication have perfect fidelity and 
the privacy be perfect, it was found that for N trans- 
mitted qubits, the number of private qubits that can be 
communicated asymptotically is log2 N , and the num- 
ber of private classical bits that can be communicated 
asymptotically is 31og2 A^. This unusual factor of three 
relating the quantum and classical capacities is under- 
stood in terms of the details of the representation theory 
of SU(2) but should be contrasted with the "usual" 
factor of two that typically relates classical and quan- 
tum schemes |^. In the present paper, we ask the 
question of whether these capacities may be improved 
by allowing transmission with near-perfect rather than 
perfect privacy, as is usually considered in cryptography. 

Note the following suggestive facts. 2N secret shared 
classical bits can be used in a one-time pad to encrypt 
2 A classical bits (cbits). However, if one asks how many 
private qubits can be transmitted using the secret key, 
the answer is a factor of two less; that same secret 2A^ 
cbit string can only encrypt A^ qubits if perfect privacy is 
required [2l|. If only near-perfect privacy is required, on 
the other hand, the number of secret cbits required per 
encrypted qubit shrinks from 2 to 1 asymptotically |22l| . 
so that the difference between encrypting cbits and qubits 
disappears. 

A similar effect occurs in the domain of communica- 
tion usin g sh ared entanglement. The superdense coding 
protocol [23 uses the transmission of A^ qubits and the 
consumption of A^ ebits to communicate 2A' cbits with 
perfect privacy. (An ebit is a pure, maximally entangled 
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state of two qubits.) The number of qubits that can be 
transmitted with perfect privacy and no errors is again a 
factor of two less, as implemented in the quantum Ver- 
nam cipher |23l |. If either near-perfect privacy or near- 
perfect transmission is permitted, however, the super- 
dense coding protocol can be extended to allow the trans- 
mission of nearly 2N qubits again erasing the dif- 
ference between sending classical and quantum data. The 
fact that the methods developed in [l^ for communicat- 
ing private classical data using a private shared reference 
frame made heavy use of superdense coding suggests that 
it may be possible, by relaxing the security conditions, 
to increase the private quantum capacity by a factor of 
three, from log2 N to nearly 3 log2 N . We shall show that 
this is indeed the case. 



II. PRELIMINARIES 
A. Brief comment on notation 

The symbol for a state (such as ip or p) also denotes 
its density matrix. A pure state is always denoted as a 
ket (e.g., \lp)) and the density matrix for a pure state 
\lp) is written simply as Lp. We will also use the notation 
xn UN if limAT^tx) xn/un = 1- The term wrep denotes 
an irreducible representation of a group. 



B. Private quantum channels using private shared 
correlations 

Whenever Alice and Bob have some private shared cor- 
relation, that is, one to which an eavesdropper Eve does 
not have access. Eve's description of the systems trans- 
mitted along the channel is related to Alice's de scrip tion 
by a decohering superoperator, denoted by £ [21j . 
Before discussing shared reference frames specifically, wc 
begin by formalizing the notions of the private quantum 
and classical capacities of this decohering superoperator. 

A S-private quantum communication scheme for £ con- 
sists of a completely positive, trace-preserving encoding 
C, mapping message states on a logical Hilbcrt space Hl 
to encoded states on the Hilbert space H of the trans- 
mitted system, such that (i) the operation C is invertible 
by Bob (who possesses the private shared correlations), 
allowing him to decode and recover states on Hl with 
perfect fidelity, and (ii) the encoding satisfies 

\\£{^)^Po\W<5, V|^)GHi, (1) 

where po is some fixed state on H, \\p — o-\\^ = Tr|p — a\ 
is the trace distance between p and cr, and i5 is a security 
parameter. When 5 = 0, the scheme is said to be perfectly 
private. The private quantum capacity of this channel, 
Q{£, 5), is defined as Q{£, 5) = sup^; log2 dimHi. 

A 6-private classical communication scheme for £ con- 
sists of a set {pi}™ 1 of density operators on H such that 



(i) the {pi} are orthogonal, so that Bob can distinguish 
these classical messages with certainty, and (ii) the en- 
coding satisfies 

\\£[p^]^Poh <5 (2) 

where, again, po is some fixed state in H and S is 
a security parameter. The private classical capacity 
of this channel, C{£,S), is defined to be C{£,6) = 
supjp.j log2 |{pi}|; where the supremum is over sets of 
density operators {pi} achieving ^-privacy. 

Given iS-privacy, for any pair of quantum or classical 
messages, chosen with equal prior probabilities, the prob- 
ability that Eve can distinguish these is bounded above 
by {l + 6)/2, seen as follows. Suppose the message states 
are gi and p2- These could be either an encoded pair 
of quantum messages, that is, C{gL,i) and C{gL.2) for 
some pair of density operators gL,i and gL,2 on H/,, or 
an encoded pair of classical messages, that is, orthogonal 
density operators. In either case, the optimal probabil- 
ity for Eve to distinguish £(p i ) and £{g2) is given by 
\ + \\\£{gi) - £{g2)\\i HEIla- Making use of the trian- 
gle inequality for the trace norm || • we obtain 

\\£{gi) - £{g2)\\i 

< \\£{g,)-po\\, + \\£{g2)-Poh 

<26, (3) 

where on the second line we have applied the definition 
of (5-privacy. It follows that if the scheme is (5-private, 
Eve's probability of distinguishing the two messages is 
bounded above by (1 + 5)/2. 

C. Private quantum communication using a private 
shared Cartesian frame 

We now determine the superoperator £ that describes 
Eve's ignorance of Alice and Bob's private shared Carte- 
sian frame for states of spin-1/2 particles. (Our de- 
scription applies equally well to any realization of a qubit 
that is entirely defined relative to some reference frame; 
another example is a single-photon polarization qubit.) 
The transmitted Hilbert space H in this case is (C^)**^. 
This Hilbert space carries a tensor power representation 
of SU(2), by which an element Q e SU(2) acts iden- 
tically on each of the TV qubits. For simplicity, we restrict 

to be an even integer for the remainder of this paper, 
but our main results apply straightforwardly to all N. 
Then we can decompose 

N/2 

iC'r^^^M,, (4) 
i=o 

where Mj is the eigenspace of total angular momentum 
with eigenvalue j. 

Each subspace in the direct sum can be factored 
into a tensor product Mj = Mjn ® Mjp, such that SU(2) 
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acts irrcducibly on Mjji and trivially on Mjp. Thus. 



D. The working space 



N/2 

The dimension of Mjn is 

djR = 2j + 1 



and that of ] 



iljP is 



N 



2.7 + 1 



N/2^jJ N/2 + J + 1 



(5) 



(6) 



(7) 



If Alice prepares N qubits in a state p and sends them 
to Bob, an eavesdropper Eve who is uncorrelated with 
the private SRF will describe the state as mixed over all 
rotations O G SU(2). Thus, the superoperator £ acting 
on a general density operator p of TV qubits that describes 
the lack of knowledge of this private SRF is given by |^ 



(8) 



The effect of this superoperator is best seen through use 
of the decomposition of the Hilbert space. The action 
of the superoperator £ can be expressed in terms of this 
decomposition as 

N/2 

£{p) = Y.^v,R ® j,p)(n,pn,) , (9) 

where "Dju is the completely depolarizing superoperator 
on Hj/j, Xjp is the identity superoperator on H^p, and Ilj 
is the projector onto Hj . The subsystems M, p are called 
decoherence-free or noiseless subsystems |28| under the 
action of this superoperator; states encoded into these 
subsystems are completely protected from this decoher- 
ence. In contrast, £n is completely depolarizing on each 
Mjfi subsystem, and thus the Mjn are called decoherence- 
full subsystems [isj . 

The largest decoherence-full subsystem occurs for 
jmax = N/2 and has dimension 2jniax + 1 = VV + 1. As 
proven in this decoherence-full subsystem defines 

the optimally efficient perfectly secure private quantum 
communication scheme. Thus, given a private Carte- 
sian frame and the transmission of N qubits, Alice and 
Bob can with perfect privacy communicate (5(£,0) = 
log2(A^ + 1) log2 N qubits asymptotically. 

In contrast, in that same paper it was shown that 
the private classical capacity using the private shared 
Cartesian frame was given by C{£, 0) ~ 3 log2 N. In Ap- 
pendix ^ we extend the result to show that C{£,5) < 
3(1 + S) log2 N + 3 for S < 1/2. The 5-private classical 
capacity therefore does not change dramatically when 6 
is made non-zero. 



To construct a "working" Hilbert space on which to 
investigate large random subspaces, we use the Hilbert 
space on which the states in the private classical commu- 
nication scheme have support. This Hilbert space is con- 
structed as follows. Note that for all j strictly less than 
the maximum value N/2, the decoherence-free subsys- 
tem Mjp is always of greater or equal dimension than the 
decoherence-full subsystem H^p. Thus, we will employ 
irreps up to, but not including, j — N/2. Let jmin < N/2 
be some fixed irrep. Our working space H' will include 
elements from every irrep in the range jmin < .] < N/2, 
that is, for j € Y, where 



Y ^ {jnun,j,nin + !,■■■, N/2-1}. 



(10) 



For convenience, we denote the dimension of the 
decoherence-full subsystem of the jmin irrep by D, that 
is, D = 2jniin -l- 1. Choose a D— dimensional subspace 



of Hjp for every j £ Y, and a subspace . 



iijP 



of] 



iijp 



that is of dimension Da = Lq^J ' ^'^^ some parameter 
a > 1. Note that such subspaces always exist because 
diniHjp = 2j + 1 > D and dimlHIjP > diniH^p for all 
jeY. 

The Hilbert space of interest is then 



with dimensionality K = dim H' given by 
1 ^ 



(11) 



K 



a ^ 

jeY 

-{N/2 
a 



jmin) (2 j 



1)^ 



(12) 



To maximize this dimension, we choose jmin to be the 
integer nearest to iV/3. In this case, we have asymptoti- 
cally 



2 1 . 
21 a 



(13) 



(More precisely, K — 1 exceeds the righthand side for 
sufficiently large TV, a result we will use later.) 

The superoperator £ maps a state (p on H' to the state 

£{ip) - 5^(/h,hMp) ® Tr,p(H,^H,) , (14) 

where /h^.^ is the identity on H^-p. (Note that the state 
£{(p) will, in general, have support outside of H'.) To 
fully exploit the working space, we will pursue an en- 
coding such that £{'p) is close to maximally mixed on as 
large a subspace as possible. To this end, we define 



where /h'. is the identity on E 



(15) 



11^- p. 
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III. THE MAIN RESULT 

We wish to show that for fixed S, there exists a pri- 
vate quantum communication scheme for £ that scales 
as 3 log2 N. This is achieved by encoding into particular 
subspaces of the working space H'. Suppose that a sub- 
space S* C H' of the appropriate dimensionality is drawn 
at random from some ensemble of subspaces of H'. It is 
then sufficient to show that the probability that encod- 
ing in S is not (5-private is strictly less than 1, because 
this implies that there exist subspaces in the ensemble 
that do yield (5-private schemes. Any such subspace can 
then constitute the logical Hilbcrt space for such a 
scheme. In this case, the encoding map C is simply the 
embedding map, which takes states in C (C^)®^ to 
states in (C^)®^. Consequently, we leave the encoding 
map C implicit in the rest of the paper. 

We shall consider the ensemble of subspaces that is 
generated by drawing uniformly at random from among 
all subspaces of H' of a given dimension. More precisely, 
we shall take S = USq where 5*0 is a fixed subspace of 
H' and C/ is a unitary on H' chosen according to the 
Haar measure dU. The condition that we require S to 
satisfy in order to yield a (5-private scheme is that for all 
\tp) e S, \\£{tp) - polli < S for po given by Eq. so 
that from Eve's perspective all the encoded states (p are 
near indistinguishable. This condition is equivalent to 
demanding that 



max \\£{(p) - polli < 5 , 
\v)es 



(16) 



where the maximization is over all pure states in S. The 
probability that S fails to be (5-private is therefore 



(17) 



Pr niax ||£:((p) -polli > S 



where wc define the probability Pi-s{g{S) > 5) that a 
randomly-chosen S satisfies some inequality g{S) > S hy 



Pr 

s 



(g{S)>5) ^ [ dU. (18) 

^ ^ J{U:giUSo)>S} 



For at least one of the S to be ^-private, wc require that 



(19) 



Pr max||5(</j)-po!li>'5 <1 



for some pq. The following theorem implies that such 
subspaces S, with dimension scaling in the desired fash- 
ion, do exist. 

Theorem 1 For the decoherence map £ associated with 
lacking a reference frame for SU{2), the condition 



Prf max ||£((^)-poili X^j < 1; 



(20) 



holds for sufficiently large N , where the probability is with 
respect to the unitarily invariant measure on subspaces S 
of W , provided 

log2 dim < 3 log2 N + 7/2 logj 5 + C (21) 

where C is a constant. 

Consider, for example, 1/5 = polylog(iV), i.e., a poly- 
nomial in log(A^). Then we can find S* C H' with 
||f ((^) — polli < S for |<^) e S such that 



log2 dim S* ~ 3 log2 N, 



(22) 



recovering the same asymptotic rate as the classical pri- 
vate capacity. In this case, Q[£,5) ~ C[£,Q). 

We prove Theorem ^ via a sequence of lemmas. Our 
starting point is the following result, known as Levy's 
Lemma |29|: 

Lemma 2 (Levy) Let f : ^M. be a continuous real- 
valued function on the k- sphere with Lipschitz constant 
rj with respect to the Euclidean metric. Then, if x is se- 
lected at random from according to the uniform mea- 
sure, 

Pr (|/(x) - M| > 7) < exp2 {~C{k - Ih^rf) , (23) 
where C > is a constant and M is a median for f. 
The function of interest is: 

f{^) = \\£{^)-po\\,. (24) 

Note that the Hilbert space norm on H' is precisely the 
Euclidean norm if the Hilbert space is considered as the 
real vector space . The following lemma bounds the 
Lipschitz constant of this function. 

Lemma 3 (Lipschitz constant) The Lipschitz con- 
stant of f{ip) is bounded above by 2. 

Proof. Using the triangle inequality gives 



\\£i^) - poll, -\\£m- poll, 
< \\£i^)~£m\, . 



(25) 



Because f is a completely positive trace-preserving map, 
and the trace distance is non-increasing under such maps. 



\\£i^)-£m\, < \\^-^\\, . 

Combining these inequalities with the fact that 



Il^>-I^)l 



= 2 
> 1 



2Rc{(p\ip) 
Iv^- "^lli 



(26) 



(27) 
(28) 

(29) 
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we obtain 

<2|lM-|^)|l2, (30) 
which is the desired bound on the Lipschitz constant. ■ 

The next corollary, an immediate consequence of 
Levy's Lemma, bounds the probability that Eve can dis- 
tinguish a random state on H' from po substantially bet- 
ter than she can distinguish states on average. 

Corollary 4 (Concentration of /) Let \(p) be chosen 
at random from the uniform measure on the unit sphere 
in H' and M a median for f . Then 



Pr 



i'{\f{^)-M\ >7) <exp2(- 



(31) 



Proof. Apply Levy to the function f{ip) of Eq. (|24|1 . 
In this case, k = 2K — 1 and rj < 2. ■ 

Next, we relate the median of / to its mean, which is 
easier to estimate. Write 



Kf 



f{(p) dv{(p) 



(32) 



for the expectation of / with respect to the unitarily 
invariant measure dviip) on pure states in H'. Let A> C 
H' be the set of points on the unit sphere for which 
f{if) > M. By the definition of the median. 



f{ip) dv{Lp) >M diy{(p) = M • i 



Letting A< be defined analogously, we get 

E^/= / f{v)dv{^)+[ /(^)dz.(^) > ^, 



(33) 



(34) 



because /((^) > 0. 

Lemma 5 (Expectation of /) The expectation value 
of f{ip) satisfies 



(35) 



The proof is supplied in Appendix ^ but can be 
understood intuitively in terms of the action of £ on 
H'. If the subspaces H^p were 1-dimensional, then by 
virtue of the fact that the Mju are decoherence-full, we 



would have complete decoherence on ] 



Because 



1/a diuiM'jp/ dimH^-^, the larger the value of a, the 
smaller the dimension of H^p relative to W.'^^, and the 
less distinguishable on average are states on Mjji Mjp 
subsequent to the action of £. One might expect that 
states could be distinguished by their relative supports 
on the different irreps j € because these supports 
are invariant under the action of £. However, the proof 
demonstrates that because we use only sufficiently large 



irreps, all encoded states will have similar supports on all 
irreps, and thus not be significantly more distinguishable 
than if a single irrep had been used. 

We note that the proof of the lemma requires that, 
within each irrep j € Y, the dimension Da of H^p be 
much smaller than the dimension D of the decoherence- 
full subsystem Mjn. For this reason, our result does not 
apply directly to cryptography using a U(l) phase ref- 
erence, for which the decoherence-full subsystems are all 
one-dimensional. However, for any other reference frame 
that satisfies this condition, our results should be directly 
applicable. 

We conclude that the median M is upper bounded by 
which, using Corollary^ leads to the result 



Pr(||5(^)-po!li >7+^ 



<exp2 (-j{K-l)r 



(36) 



This inequality is sufficiently strong that we will be 
able to use it to conclude that large subspaces of H' have 
the property that the distinguishability of all states in 
the subspace are bounded. 



Lemma 6 (Existence of good subspaces) Let Sq C 

H' be a fixed subspace and \ipo) a fixed state on So- Let 
S = USq be a random subspace obtained from Sq using a 
Haar- distributed unitary U on W . Then, for any S > 
andO<e < 1/2, 



Pr( max f(ip) > S 



< 



2 dim S 



Pr 

u 



[fiU\^o))>5-e). (37) 



Proof. Fix an e/2-net Mq for the unit sphere of a fixed 
subspace 5*0 of H' with the Hilbert space norm. The 
net can be chosen such that the number of elements in 
the net satisfies |A/'o| < (5/e)2d™So_ (gee j^l a proof 
of this fact.) By definition, given any \ip) € 5*0, there 
exists a state \(f) G Aq such that || \ip) — \(p) II2 < e/2. By 
Lemma 13 this implies that \f{if) — /(<^)| < e. 

Now choose a random subspace S = USq using a Haar- 
distributcd unitary. This unitary U maps the net Ao for 
Sq into a net Af for S. Let \ip*) be defined by 



max/((^). 



(38) 



By definition, there exists a state \(p*) E Af such that 
II \(p*)-\^*) II2 < e/2, and consequently \f{'P*)-f{^*)\ < 
e. It follows that if /(<p*) > S, then f{(f*) > S - e. 
Therefore, if 



max f{tp) > 5, 



then 



max f {(f) > 5 

\(p)£M 



(39) 
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Finally, if x implies y, then Pr(a;) < Pr(?;), so we conclude 
that 



Pr max f{^) ><5 < Pr max /([/ \ip)) > S - e 
s \\ip)es J u \\ip)eM, 

(40) 

where Pvu reminds the reader that we are varying over 
unitaries. We then have 



Pr( max f{U\^))>5-e) 



< PjifiU\v))>5-e) 



= Wo\Pj{fiU\^o))>5-e) , (41) 

where the first inequality is the union bound for proba- 
bilities and the second line follows from the fact that the 
expression inside the sum over is independent of \ip) 
{\(po) is an arbitrary state in H'). Recalling that |Ao| 
< (S/e)^^"""^" establishes what we set out to prove. ■ 

Using the lemma together with Eq. H36|) . we obtain 



Pr max \\£{(p) - po\\^ > 6 



<,5 



2dimS 



exp2 



2 \/a 



(42) 



If dim S is chosen such that the right hand side is 
bounded away from 1, then the left hand side will also 
be bounded away from 1, and there will exist a 5-private 
encoding into a subspace S. We will therefore seek the 
largest value of dim S that satisfies the inequality 

f. \ 2 dim S / p 9 \ 

^ <exp2(^-(i^-l)(<5-£-— )2j, (43) 

or equivalently 

Given that In a; < ^/x, we have l/ln(|) > and 
any S satisfying 

dim 5 < ^Jl^iK -l){S-e-^r, (45) 

will also satisfy Eq. (|44|l . Using the expression for K in 
Eq. H13|l. it is sufficient to require that 



J. ^ Cln2 1 ^ 2 ^ 

dmiS* < --N^(S-e ^ Ve 

54^5 a \/a 



(46) 



for sufficiently large N. If we choose e — S/3 and a 
36/(5^, then this expression reduces to 



dim5<-^l^W/2 



It is therefore possible to choose S such that f{(p) < 5 
for all \ip) € S whenever 

log2 dim S* < 3 log2 N + 7/2 log^ S + C (48) 



5832V15 



(47) 



where C = log2[(Cln2)/(5832V15)], completing the 
proof of Theorem n 



IV. DISCUSSION 

We have seen that for fixed i5 > 0, the 5-private quan- 
tum capacity of a secret SU(2) reference frame is at least 
three times as large as its perfectly private quantum ca- 
pacity. Indeed, the relaxation of the security requirement 
to (5 > causes the private quantum capacity to jump 
almost to the value of the perfectly private classical ca- 
pacity, which is approximately 3 log2 N, and within a fac- 
tor of 1 -I- (5 of the (5-private classical capacity. In earlier 
work, a similar relaxation of the security condition in the 
quantum one time pad led to a doubling of the priv ate 
quantum capacity of a shared secret key string [22| as 
well as a similar doubling of the capacity of a maximally 
entangled state HSl- The tripHng of the capacity 
seen here, however, is unusual and reflects the particular 
structure of the tensor power representation of SU(2). 

Because the private capacity of a shared reference 
frame is proportional to log2 N rather than N, however, 
the values of S which provide an improvement over the 
perfectly private schemes is quite restricted. From The- 
orem ^ we see that for sufficiently large A^, 

Q{£,S)>'S log2 N+^- log2 6 + C (49) 

for some constant C" . In order to improve upon the per- 
fectly private scheme, we require that Q{£,S) > \0g2N, 
which implies that 1/S £ 0{N^/'^). In particular, our 
construction does not allow 5 to be an exponentially de- 
creasing function of A^, which would obviously be more 
desirable for cryptographic applications. 

Some questions remain about the optimality of the pri- 
vate quantum communication schemes we have presented 
here. In particular, our upper bounds on the private 
quantum capacity do not exclude the possibility that 
5 could be made to shrink exponentially with N while 
maintaining a number of qubits sent scaling as 3 logj N . 
Also, we have not attempted to construct (5-private clas- 
sical communication schemes meeting the upper bound 
of Theorem in Appendix IXI 

Finally, we note that a shared Cartesian frame is not 
the only possible form of a shared reference and 
it is useful to consider other practical examples such as 
a shared phase reference, shared direction, or reference 
ordering. These examples have different Hilbert-space 
structures arising from their group representation theory, 
and in general will result in different relations between 
their private classical and quantum capacities. We note 
that our technique should apply directly to cryptography 
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using a reference frame for U{K), with K > 2, because 
the Hilbert space structures for these groups satisfy the 
conditions required for our proof. Whether similar differ- 
ences between perfectly-private and (5-private capacities 
can be found for other reference frames is an open ques- 
tion. 
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APPENDIX A: (5-PRIVATE CLASSICAL 
CAPACITY 

Theorem 7 For 6 < 1/2 , the 5-private classical capacity 
satisfies C{E, 5) < 3(1 + S) logs + 3. 

Proof. Suppose we have a ^-private classical communi- 
cation scheme for £ consisting of m states on H. If such a 
scheme exists, then there is also an m-state scheme using 
pure states, which we will label We will use the 

privacy condition to find a small subspace of H such that 
these states are almost entirely contained within the sub- 
space. Combining the Holevo bound with the fact that 
the original states were all distinguishable will then lead 
to an upper bound on to, the number of states in the 
scheme. 

Let M.jQ be the subspace of Mjp corresponding to the 
non-zero eigenvalues of Trjflpj'i/'iIIj] and let IIjq be the 
projector onto Hj-g. It follows from the Schmidt decom- 
position for Iljl'i/'i) that dimHjQ < mm{djj^, djp). Also 
let n' = J2j n^fl ® n^Q, where Iljji is the projector onto 
Mjf). Observe that for any ipi, 

Tr[nv,n'] = Tr[£(nv,n')] = Tr[n'£(^on'] (ai) 

because £ is trace-preserving and because projection by 
n' commutes with £. By the privacy condition, however, 

S > (A2) 
> 2{Tr[n'£(^i)n'] -Tr[n'f(^On']} (A3) 
= 2{i-Tr[n'£:(v;.)n']}. (A4) 

The second inequality holds because ||A||i = 
2maxpTr[PAr] for traceless, Hermitian X, where 
the optimization is over projectors of all ranks. (See, for 
example, Q.) Combining (|A4p with (|A1|) shows that 
Tr[nV,n'] > 1 - S/2. Thus the states are 
essentially contained within the subspace defined by 11'. 



Now consider the set of states where 

n'lv^.) 



^Trp'v.n'] 



(A5) 



Because = TrpVill'], performing the mea- 

surement {\ipj){ipj\}JLi on the set of states {IV';)}!^! 
will correctly identify the state with probability at least 
1 — d/2. Assume a state \^'^) is chosen from the uniform 
distribution. By Fano's inequality [30l |. 



Hii\j) < l + -l0g2TO, 



(A6) 



where H is the Shannon conditional entropy function, 
which in turn implies that 



I{t;j)>{l-S/2)\og^m-l, 



(A7) 



where / is the mutual information function. Because 
all the states |V'i) are contained in the support of 11', 
however, the Holevo bound [U implies that is no 

more than the logarithm of rankH', which satisfies 

rankH' < dju ■ min((ijfl, djp). (A8) 



In the case of a private shared SU(2) reference frame, 
for which djB. = 2j + 1, 

TunkU' < {N/2 + l){N + lf <2N^, (A9) 

where the second inequality holds for all A^ > 2. This 
implies that 



log2 TO < 

provided S < 1/2 



3 log2 A^ + 2 



(AlO) 



1-6/2 

< 3(1 <5) log2 TV 3, (All) 



APPENDIX B: PROOF OF LEMMAS 

The map £ depolarizes each of the systems Mjp but for 
the purposes of calculation, it is easier to simply discard 
them. In the proof, therefore, we will work with the space 
Hp = ©jgyH^-p, which has dimension dp = dim Hp. 
Observe that if we introduce 

^(p) = ^Tr,p(H,/9n,), (Bl) 

jeY 

which gives a normalized state on Hp, then 

\\£{^)-po\\i = m^)-go\\i, (B2) 

where qq = Ip /dp is the normalized identity operator on 
H^. 
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Using llXlli < VrankX||X|l2 ffives 

||^M-^>ojll< v^ll^M-^^oll2. (B3) 

We therefore have 

E^/ < Vd^ J W^i^) - go hdi^i^) 

(B4) 

Using the normaUzation TiJ-{ip) = 1 and the concavity 
of the square root function, this expression reduces to 



Kf<\jj dpi:T[T{^Y] dv{^) - 1. (B5) 



It therefore suffices to evaluate 



TT[Hvf]dy{^) 



j Tr [(^ Tr.fl (n,^n,)) '] dv{^) . (B6) 



Because Hj has the form Ilj = HjR ^ H^p, where 11^^ 
and Hjp are the projectors onto Mjp and Mjp respec- 
tively, Tvjji{Uj(pIlj) and TrkpiUk'P^k) have orthogonal 
supports, implying that 



= Tr[^(Tr,j^ (n.^H, 



(B7) 

To evaluate the resulting integral, fix bases {|to)}^^i and 
{lOl^l foi' the spaces H^-^ and M'jp respectively. (Note 
that we identify bases labelled by different values of j.) 
Also let \(po) = Ijo'TiQ^o) for some fixed values of jo, "Iq 
and Iq . Using Eq. ljB7p and making use of the invariance 
of the measure, we can expand the integral of Eq. ljB6|) 
as 



D Da 



/ TT[T{U(poU^)'^]dU yj zZ / Ujml,jomoloUJml',jomolo^3-ni'l',]ornoloUjm'l.jomolodU , (B8) 



which can be evaluated using the identity (see, for example, |32l| ) 



IU{K) 

We obtain 



•^U(-fS') jey m,m' = l i,i' = l ^ ' 

K{K + l) 

I 



(B9) 

(BIO) 
(Bll) 



Substituting this back into the expression for E^/ yields get E^/ < ^jDa/D. Because Da < ^D, we have the 

desired inequality: 



K{K 



J&Y 



(B13) 



Recalling that dp = J2jeY and K = J2jeY ^aD, we 
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